Silkenweb Example: Hackernews Clone

Ventoy: Remove BLOBs from the Source Tree

94 points by 6581 1 year ago | 49 comments

transpute 1 year ago
Why is Deepin the only distro worthy of a "Friendly Link" on the Ventoy home page? Are they a sponsor of the project? Code contributor? Preferred demo platform? https://web.archive.org/web/20240614040917/https://ventoy.ne...
Ventoy developer longpanda offers tools for injection into Linux and Windows ISOs, which work with the Ventoy injection plugin, https://news.ycombinator.com/item?id=38691857
> Deepin is a distribution developed in Wuhan, China by Deepin Technology. Its homepage proclaims it "the top Linux distribution from China" ... The extensive EULA is uncommon for the Linux space, and the privacy policy goes into some detail about the types of information they collect – not just browser history, but information on when you use your computer and the applications installed on your system.
- zamadatix 1 year ago
  What underlying result are you hoping the long term fixation on asking this question going to resolve? The developer is Chinese and probably doesn't care what someone else's preferred distro is or maybe they are associated with it - what difference does it make to why it's on the site and why not just ask them directly about it instead?
  If you mean to just highlight the association with Deepin it doesn't need to be guised as a question.
- Fnoord 1 year ago
  If you look at https://github.com/ventoy then longpanda is ventoy and they're very likely from China:
  > It would be much appreciated if you want to make a small donation to support my work! > Alipay, WeChat Pay, PayPal and Bitcoin are available for donation. You can choose any of them.
  - transpute 1 year ago
    Ventoy's developer also created commercial software called iVentoy, https://www.virtualizationhowto.com/2023/11/iventoy-network-...
graton 1 year ago
From the very beginning I've been reluctant to use Ventoy. In the beginning there were no instructions on how to build from source. Then after that there were binary blobs that were used in the build.
So far I've never used Ventoy due to these issues. The concept sounds great though.
- ungamedplayer 1 year ago
  The attitude in the comments regarding the "look you can see how it's built" is concerning.
  A simple virus could easily backdoor every binary on the system which built the file, rince and repeat.
  Before anyone says that Linux virus do not exist, I have written a handful, as I'm sure many others have. Do not assume lack of observation to be confirmation of your view.
  - squigz 1 year ago
    I don't think I know a single IT professional that would allege that Linux viruses don't exist.
    - DANmode 1 year ago
      Meaning none you'd keep close,
      or that you've genuinely never come across one?
      I mean, just stop by reddit!
  - isoprophlex 1 year ago
    Fascinating. If you feel like sharing, what was your motive? Profit, research, the lulz?
    - worthless-trash 1 year ago
      I have always been interested in how these things work, and based an early one on Silvio Cesares paper ( https://www.win.tue.nl/~aeb/linux/hh/virus/unix-viruses.txt ) as I was associates with him while at university. This virus was to confirm what was written in the paper.
      The second I wrote was attempting to exploit the trust that erlang VM's have with each other. I have rewritten a few in various BEAM based languages, this was to give evidence to management that security/protections should be put in place for erlang clustering (rabbitmq, HA erlang, etc).
      Another was for working for a large north american linux vendors product security group, In an effort to know ones enemy and the effort involved in some of the 'in-the-field' backdoors that were found. In this case, I was reproducing the "virus/RAT" (I use that term loosely) that contained dirtycow exploit primitive in the wild. I also reversed/reproduced/(exploited ?) their exploitable C&C infrastructure. This information was handed over to the law enforcement and I've never heard any more about it.
      Each virus had its own reason, none of them escaped my demonstrations.
- fastily 1 year ago
  Yeah that part has always been weird. I will say that it works wonderfully, especially if you need to install windows from a usb but only have computers running Linux/Mac available
hddherman 1 year ago
The demand for a Ventoy-like tool is clearly there, but I hope that one day we'll have an alternative that we can actually trust. Until then it seems that having a small collection of USB sticks is still the way to go, the inconvenience is preferable to the whole installation getting compromised.
- BobbyTables2 1 year ago
  The amount of “marketing” with the corresponding lack of technical documentation also greatly disturbs me.
  On one hand, it integrates a lot of open source components, but there is enough custom stuff going on that I’m concerned.
  Look how it boots a Linux live cd… Initramfs injection is well used — perfect for malware.
- catlikesshrimp 1 year ago
  I use and recommend ventoy for convenience. It is so convenient. That is, good for nerds to play with hardware and test distros. Not for end users.
  For security, I always recommend Burning an ISO into a physical optical disc. Check the ISO MD5 before burning. No thumbdrives.
  Then pray god your Government only aproves sales of backdoored hardware where you live. I recommend at least disabling (pulling out) the build-in Network cards (yes, wifi/bt too) and buying usb replacements.
brunoqc 1 year ago
177 thumbs up on the issue and 0 replies from the maintainer in those 2 months.
"concerning"
teraflop 1 year ago
Aside from the security issues, this project is pretty clearly violating the GPL by distributing binary versions of other people's code without including either the source code or the original copyright notices.
- suprjami 1 year ago
  GPL does not mandate inclusion nor public availability of source code. The code must provided to users upon request. Most providers of binaries make the source public so they don't have to handle each request manually.
jauntywundrkind 1 year ago
What alternatives are there?
No where near the ergonomics as far as I can tell, but with containers, there's been an effort to make bootable containers. I seem to remember there being some other options (I wanna say like Wyvern or something like that was one but not finding it), but the big obvious effort is bootc. https://containers.github.io/bootable/projects.html . 38d old thread: https://news.ycombinator.com/item?id=40289120
- kotaKat 1 year ago
  The physical one, which is more reliable to boot because it's emulating the actual USB-DVD/USB-HD/USB-flash interfaces when you use it.
  https://www.iodd.shop/IODD-ST400-USB-30-External-Encrypted-H...
  I love using my IODD in "dual-mode" with Clonezilla. It exposes a USB-DVD drive with an emulated Clonezilla DVD in it as well as its' HDD storage so I can dump an image right to the hard drive.
  (Bonus points: I can then have Clonezilla bundle me a clonezilla-iso package of my captured image, and save it back into the ISO folder to boot from later!)
  - k8svet 1 year ago
    I almost want one of these, except I have no use for it nowadays. Ventoy didn't even work the one time I tried it, probably because it couldn't hook nixos's initrd properly.
    But also, I'm insanely frustrated that (1) Google doesn't allow USB Gadget mode to do this from stock Android (2) the app that appeared to work for LineageOS/rooted devices is abandonware.
    There's no good reason why your phone can't serve up ISOs with gadget mode.
    I already travel with my ancient Pixel 3a as a backup (which has come in handy, clumsy me). It would be slick to have that as a portable ISO host, and backup phone. (Ignore the USB2 USB-C port, it's fine.)
    - hddherman 1 year ago
      I remember giving that a go many years ago. Not 100% successful, but when it worked, it was fantastic. It would be incredibly handy nowadays, especially for troubleshooting use cases. OS installation, memtest, clonezilla, portable Windows installation, and you'll always have them with you since you're already carrying your phone!
    - ryukafalz 1 year ago
      This might not help you that much depending on your use case but Ubuntu Touch can do this: https://open-store.io/app/me.fredl.isodrive
      ...and runs on the Pixel 3a: https://devices.ubuntu-touch.io/device/sargo/
- 20after4 1 year ago
  This looks promising: https://github.com/tjmnmk/gadget_cdrom
  It's using a Raspberry Pi Zero to emulate a USB CD-ROM. A menu on the device allows you to choose an ISO to boot from.
  - brunoqc 1 year ago
    That project isn't very active. The last significant commit was 3 years ago.
    - 20after4 1 year ago
      Doesn't really need to be active to be useful.
- transpute 1 year ago
  It's more work, but there are sample configs for grub2 to boot multiple ISOs, https://news.ycombinator.com/item?id=38663958
- Gormo 1 year ago
  You can create your own multi-boot media fairly easily with Syslinux. My understanding of Ventoy was that it was just a set of config scripts for Syslinux in the first place.
- 1 year ago
Gormo 1 year ago
I remember that when I first encountered Ventoy a while back, it appeared to be just a bootable ISO pre-configured with Syslinux. I didn't use it much, since I already had my own Syslinux config with a variety of bootable environments that I found useful already set up.
Has it involved into something more complex? It seems odd to complain about binary blobs in something that is meant to be a tool for aggregating pre-existing binary boot media into a single image.
- wakawaka28 1 year ago
  It's not odd because you may trust the boot media and not the actual tool. There should be a way to just dump ISO files directly onto a disk and be presented with a menu very simply to boot one of them. It would require the least amount of trust.
  - Gormo 1 year ago
    That's basically what Syslinux does -- copy your ISO to the boot media, add a config entry for it, and you're done.
    - wakawaka28 1 year ago
      Great, now how do I use that to replace a tool like Ventoy?
nazgu1 1 year ago
Are there any real concerns about Ventoy and security? So ig I use it to boot installer, the installed OS can be backdoored? Or is it just some „possibility”, but rather unreal?
- Dalewyn 1 year ago
  You're going to have to weigh the Chinese origins against what threats and risks you can not or will not accept.
  Personally, I don't and use stuff like Rufus[1] instead.
  [1]: https://github.com/pbatard/rufus
  - stragies 1 year ago
    Rufus does not seem to have anywhere near the feature set of Ventoy, so not really a replacement.
  - gh02t 1 year ago
    netboot.xyx is also killer though slightly different. I installed a permanent netboot version on my home server so I never need to boot an install disk again, but you can also flash it to USB.
    - korowod 1 year ago
      Does it work with ISOs from the USB? It looks like it would still need a remote host.
mrjin 1 year ago
To be fair, the OP was some how just pointing fingers. I took a quick look at the issue, 2 of 3 links mentioned are actually with detailed build instructions. It's only ventoy_unix doesn't. Giving that it's just someone's hobby project, I don't see that as a particular issue. A PR to fix those would be much better than the post.
svlasov 1 year ago
I wonder if somebody already tried to compare installations made via Ventoy and not to spot any differences.
rldjbpin 1 year ago
ventoy is pretty useful even if it is potentially risky. they found a way around the secure boot problems (https://ventoy.net/en/doc_secure.html) and i will be the first to admit that i enrolled their keys on the devices i use.
i am still waiting for an ergonomic way to have a persistent usb install of a linux distro, which does not kill the flash storage over time. till then, i got similar levels of trust of the tool as i do with using windows.
subjectsigma 1 year ago
Saw the Alibaba/WeChat links and decided to use alternatives. This seems to be one more nail in the coffin
trueismywork 1 year ago
What can ventoy do that `cp` cannot?
- cl3misch 1 year ago
  My reason to use Ventoy is the possibility to have multiple ISOs on one single USB stick. Before I would have to dd the new ISO to the stick, wiping what was there before. Effectively this resulted in more writes to flash and ultimately multiple broken USB sticks.
  FWIW, I think you mean `dd`.
  - Gormo 1 year ago
    You can just use Syslinux with the memdisk module (if you want to boot full ISOs stored on the thumbdrive), or you can extract the ISOs into directory trees and configure Syslinux menu options to load the contents equivalently to the ISO's original bootloader (as long as they're not using hardcoded paths or volume labels to find the filesystems to mount).
    - cl3misch 1 year ago
      Thanks for the info. It does sound much more cumbersome than Ventoy. Given its current state as of linked issue, I still should look into it...
  - aidenscott2016 1 year ago
    You can cp the image to a block device and it will work